[Samba] Fixing sysvol permissions

L.P.H. van Belle belle at bazuin.nl
Wed Jun 20 09:52:34 UTC 2018


Hai Mark,

Sorry for the late reply, im prepairing for me holiday and i've lots of work finish, or i get called in my holiday.. 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Mark 
> Foley via samba
> Verzonden: maandag 18 juni 2018 18:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Fixing sysvol permissions
> 
> On Fri, 15 Jun 2018 12:32:52 +0200 L.P.H. van Belle wrote:
> >
> > > OK, Everyone is currently set to FULL CONTROL. I'll set 
> that to READ.
> >
> > Ai, now... Nobody can write over the share, pc's wil complain. 
> > Some GPO setting will stop working. 
> 
> But, when I ran your samba-check-set-sysvol.sh script it told 
> me to set EVERYONE: READ. See
> below:
> 
> > > $ ./samba-check-set-sysvol.sh
> > > Review the file : default-rights-sysvol.acl, these contains 
> > > the defaults for sysvol.
> > > The sysvol ACLS info.....                                 
>                                  
> > > 
> > > Please check your share rights for sysvol from within windows.
> > > If these are incorrect, correct them and run this script again.
> > > Set your sysvol SHARE permissions as followed.
> > > EVERYONE: READ              <----------------------------------
> > > Authenticated Users: FULL CONTROL
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> > > User/Group system is added compaired to a win2008R2 sysvol, 
> > > you need this for some GPO
> > > settings.
> > > 
> > > Set your sysvol FOLDER permissions as followed.
> > > Authenticated Users: Read & Exec, Show folder content, Read
> > > (BUILTIN or NTDOM)\Administrators: FULL CONTROL
> > > (BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
> 
> Perhaps I'm confusing Folder permissions and Share permissions.
No, im answered wrong here. 

Whats posted is correct. 
Set the "SHARE" permissions as above tells you. 

> 
> > Look here, and setup like that. 
> > 
> https://support.microsoft.com/nl-nl/help/2838154/permissions-f
> or-this-gpo-in-the-sysvol-folder-are-inconsistent-with-th
> 
> Problem: On that link, step 2 "Check whether the Listobject 
> permission is set for the
> Authenticated Users group and whether the Authenticated Users 
> group is missing from the
> Delegation tab of the Group Policy Object."  When I edit 
> 'Authenticated Users', I don't have
> that "Default Domain Controllers Policy" dialog. Or if I do, 
> that link doesn't tell me how to
> get there.
> 
> Let me list everything I've got:
> 
> sysvol FOLDER Permissions:
> 
> CREATOR OWNER 
> special
> (Advanced) Subfolders and files only
> Full Control - everything is checked)
> (apply these permissions to objects and/or containers ... not checked)
> 
> CREATOR GROUP Subfolders and files only
> special
> (Advanced) Subfolders and files only
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
> 
> Authenticated Users
> Read & Execute
> List folder contents
> Read
> (Advanced) This folder, Subfolders and files
> Traverse folder / execute file
> List folder / read data
> Read attributes
> Read extended attributes
> Read permissions
> (apply these permissions to objects and/or containers ... not checked)
> 
> SYSTEM
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
> 
> Administrators (HPRS\Administrators)
> Full control
> (advanced) This folder, subfolders and files
> full control - everything is checked
> (apply these permissions to objects and/or containers ... not checked)
> 
> sysvol SHARE Permissions:
> 
> EVERYONE: READ
> Authenticated Users: FULL CONTROL
> HPRS\Administrators: FULL CONTROL
> SYSTEM, FULL CONTROL
> 
> Does this look correct? Is this what you have?

Yes, thats exact what i also have. 
But ... Did you reapply all settings to all the subfolders after you applied them. 

And what might be wrong, is you might try to apply u user setting for computer or computer setting for a user.

The difference is, which user is trying to access the file of the group policy. 
A) computer = user SYSTEM that impersonates user COMPUTERNAME$ 
B) user = user You_Windows_User


> 
> Nevertheless, when I try to log into a workstation as a 
> domain user I still do not get that
> user's desktop. In the Windows eventlog Windows Logs > 
> System, I get Event 1906 error,
> GroupPolicy:
> 
> Error Description: Access is denied.
> GPOCName: 
> LDAP://CN=User,cn={178C3418-E432-414A-9185-DCD1AB359A3B},cn=po
> licies,cn=system,DC=hprs,DC=local
> FilePath: 
> \\hprs.local\SysVol\hprs.local\Policies\{178C3418-E432-414A-91
> 85-DCD1AB359A3B}\User\registry.pol
> 
> This is driving me crazy!

Yep know that, been there. 

> 
> --Mark
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 


Greetz, 

Louis




More information about the samba mailing list